Archives

Categories

Meta

Tag: Dump

Portable Executable file structure is still in progress and extending specially for PE64 images. In the other side malware creators and developers are constantly changing their techniques and writing malicious codes to evade AVs and other security tools. It’s an ongoing challenge…

To deal with it, I’ve added some new features and changed some of the existing features to make PPEE compatible and easier to use.

Some of the most important changes are as follows:
• Toolbar and Statusbar are added. Toolbar includes some of the frequently used menu items. There is nothing to do with statusbar at the moment. It will be used in the next versions.

• Check update is added to check whether new version of PPEE is released or not. The check can also be done at startup but I think it would be a little annoying to show a dialog every time that program runs. May be in the next versions an option to disable/enable showing update dialog at startup would be added.

• Looking for a string, for example an URL in the file is a tedious task. I’ve added four child nodes to the tree to separate ASCII, UNICODE, URL and Registry strings. If you need something else please let me know.

• As said before, Anomaly detection is added. There are two colors for this. Orange for Warning and red for Error. Most of the anomalies and thresholds are taken from documents and specifications. Anomaly rules for example strange section names are embedded in PPEE. This is not suitable for long rules. Maybe in the next versions add a blacklist file beside main executable to store strange or blacklisted items.

• Right click context menu is added to Copy, Search, Whois and Dump. Copy item, copies the selected field and Copy Row, copies entire selected rows. In the search menu you can search selected field in the Google and MSDN. Whois is only shown for strings. It’s really useful for urls. If you know any other site that can be added to this list please let me know. Dump menu item is also added. It’s only shown for “Section Headers”, resources, COM(.Net) directory and MetaData. Clicking on Dump a save as dialog would be shown. At the moment “Follow in Hex editor” is not functioning.

• Edit every structure that is shown, was one of the features that I demanded to be supported in PPEE. Now just double-click on a field that you want to edit, write the new value and press Enter or click somewhere else. When you press Enter, the next row would be selected, press Enter again to edit that field. If the value didn’t changed it means that it’s not editable. Press Esc to cancel editing.

For the plugin I decided to add Virustotal query result and some descriptive information about the file which would be useful for novices. If you know any other online scanning engine that is up to date and reliable please let me know.
Finally, any idea is welcome 😉